The Klez virus

Introduction to the Klez virus

Appearing early in 2002, the Klez virus is still everywhere on networks, and the danger it poses is even higher due to the new variations that keep cropping up (like Klez.e, Klez.g, Klez.h, Klez.i, Klez.k, etc.). The new versions of the virus include increasingly clever self-distribution mechanisms, allowing them to spread even easier. The KLEZ virus (code name W32.Klez.Worm@mm) is a worm which spreads by email. It also has 4 other ways to spread:

The web

Shared folders

Microsoft IIS security holes

File transfer

At particular risk are users of Microsoft Outlook in Windows 95, 98, Millenium, NT4, 2000 and XP, as well as Microsoft Internet Explorer users.

What the virus does

The Klez worm retrieves the list of addresses found in the address book of Microsoft Outlook or Eudora, as well as instant message clients (ICQ).

Next, the Klez virus sends all recipients an e-mail, using its own SMTP server.

Using this process, the Klez virus generates emails with an empty body and a subject chosen at random from a list of about a hundred preset choices. It attaches to the email an executable file which contains a variant of the virus. The viruses use an .eml extension to exploit a security flaw in Microsoft Internet Explorer 5.

The Klez virus is distinguished by its ability to send emails which look like they came from a sender whose address was found on the victim's machine (shown in the from field in the email sent).

More recent versions of the virus even carry tools for thwarting the most common anti-virus programs.

Worse, its own authors have programmed a false corrective measure for the virus, sent to the victims in an email entitled Worm Klez.E immunity. The email also sends false error messages showing that the message could not be delivered, which contain yet another copy of the virus as an attached file!

Viewing Web pages on servers infected by the Klez virus may lead to infection when a user views pages with the vulnerable Microsoft Internet Explorer 5 browser.

The Nimda virus is also capable of taking control of a Microsoft IIS (Internet Information Server) Web server, by exploiting certain security holes.

Finally, like its cousins, the virus infects executable files found on the infected machine, meaning that it can also spread by file transfers.

The Klez virus is programmed to delete randomly chosen files on the 6th of the month during odd-numbered months. To top it all off, on January 6 and July 6, the virus will erase all files on the hard drive!

Symptoms of infection

The Klez virus uses as many resources as it can on the infected machines. If your computer is reacting slowly and strangely, the first thing to do is to scan all your hand drives with your antivirus software, with the understanding that the virus may have altered the antivirus program to avoid being detected.

Eradicating the virus

To eradicate the Klez virus, the best method involves first disconnecting the infected machine from the network, then using up-to-date antivirus software or the Symantec virus removal tool (preferrably restarting the computer in safe mode): Download the virus removal tool

What's more, the virus can spread using a security hole in Microsoft Internet Explorer, which means that you may catch the virus by visiting an infected site. To fix it, you must download the patch for Microsoft Internet Explorer 5.01 and 5.5. Please check the version of your browser, and download the patch if need be: http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp

As the virus falsifies the sender's email address (in the from field), it is recommended that you not respond to the email's sender. Instead, check the Return-Path field of the message and reply to whichever address is listed there.

See also

This document entitled « The Klez virus » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.